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ES-C2M2  Genesis  -  January  2012 


the  WHITE  HOUSE  president sarack obama 


V***l 


m  BLOG  PHOTOS  &  VIDEO  BRIEFING  ROOM  ISSUES  ,t>e  ADMINISTRATION  ie 


Home  •  The  Wh ite  House  Blog 


The  White  House  Blog 


Protecting  the  Nation’s  Electric  Grid  from  Cyber  Threats 

Protecting  the  electric  system  from  cyber  threats  and  ensuring  its  resilience  are  vital  to 
our  national  security  and  economic  well-being.  This  is  exactly  why  cybersecurity  is  one 

of  four  key  themes  in  the  White  House's  Policy  Framework  for  a  21st  Century  Grid.  For 
obvious  reasons,  the  private  sector  shares  our  interest  in  a  safe  and  secure  electric  grid 
The  Administration  has  benefited  from  working  closely  with  industry,  including  to  develop 
the  Roadmap  to  Achieve  Energy  Delivery  Systems  Cybersecurity,  released  by  the 
Department  of  Energy  last  September. 


iTnnnwrl  \  Sfi 

January  09,  2012 


*j.  wKJ  rm  l.u  i 


Share  This  Post 


To  continue  that  close  cooperation,  last  week  Deputy  Secretary  of  Energy  Dan  Poneman 
and  I,  along  iuuai  p°p2rtmant  of  Homeland  Security,  hosted  industry 

leaders  to  dis^yssa  new  initiative  to  furthgfr  protect  the  electric  grid  from  cyber  risks.  This 
Live t7T5fiScuritv  Risk  MafcritvJ^**^!  -  is  a  nev^Muie 
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ES-C2M2  Background 


White  House  initiative 


Led  by  Department  of  Energy 


In  partnership  with  Department  of 
Security 


Homeland 


In  collaboration  with  representatives  of  electricity 
subsector  asset  owners  and  operators 
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ES-C2M2  Challenge  and  Objectives 


Challenge: 


Develop  capabilities  to  manage  dynamic  threats  and 
understand  cybersecurity  posture  of  the  grid 


Objectives: 

•  Strengthen  cybersecurity  capabilities 

•  Enable  consistent  evaluation  and  benchmarking  of 
cybersecurity  capabilities 

•  Share  knowledge  and  best  practices 

•  Enable  prioritized  actions  and  cybersecurity  investments 
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ES-C2M2  Approach  and  Results 


Approach: _ 

•  Create  a  maturity  model  and  self-evaluation  survey  to 
develop  and  measure  cybersecurity  capabilities 

•  Encourage  public-private  collaboration  effort 

•  Leverage  existing  guidance  and  knowledge 


Results: 


•  A  scalable,  sector-specific  model  created  in  partnership 
with  industry 
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ES-C2M2  Collaboration 


Model 

Architect 


Edison  Electric 
Institute 


Power  by  Association* 


NERC 

NORTH  AMERICAN  ELECTRIC 
RELIABILITY  CORPORATION 


National  Rural  Electric 
Cooperative  Association 

A  InimitK  Enetjy'  Gxftnilvt  rtt> 


National  Electric  Sector 
Cybersecurity  Organization 


Idaho  National  Laboratory 


Mk  ^k  American 

Public  Power 
S  Association 

PublicPower.org 


NIST 

National  Institute  of 
Standards  and  Technology 

U.S.  Department  of  Commerce 


Pacific  Northwest 

NATIONAL  LABORATORY 


And  numerous  utilities,  including 


Southern  California  Edison  Bonneville  Power  Administration 


Pacific  Gas  &  Electric 


Electric  Reliability 
Council  of  Texas 


Dominion  Resources 


American  Electric  Power 
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Short  Model-Development  Time  Frame 


Jan.  5: 

Kickoff 

Meeting 

Feb.  14: 

Advisory 

Group  Working 
Session  2 

Feb.  29:  First 
draft  model  to 
Advisory 
Group 

March  16:  Revised 
draft  model  to 
Advisory  Group  and 
SMEs 

March  29- 
May  4: 

Pilot 

Evaluations 

May  31: 

Initiative 

Closeout 
and  Model 

Release 

\ 

A 

A 

A 

A 

/k 

Jan  2012 

May  2012  ^ 

V 

V 

V 

v  r 

Jan.  30: 

Feb.  17:  Draft 

March  2: 

March  22: 

May  14-15: 

Advisory 

domains  to 

Advisory 

Deliver  pilot  draft 

Advisory 

Group 

Advisory 

Group  Working 

model  and 

Group  Working 

Working 

Group  and 

Session  3 

evaluation 

Session  4 

Session  1 

SMEs  for 

instrument  for 

feedback 

pilot 
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ES-C2M2  Resulting  Artifacts 


The  Model 


ELECTRICITY  SUBSECTOR 

CYBERSECURITY  CAPABILITY  MATURITY  MODEL  (ES-C2M2) 


http://energy.gov/oe/downloads/electricity- 

subsector-cybersecurity-capability-maturity- 

model-may-2012 


Self-Evaluation  Tool  Requests, 
Requests  for  Facilitation,  &  Questions 


ES-C2M2@doe.gov 


94-page  document 

The  model  itself  is  only  45  pages 
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ES-C2M2:  Industry  Use  and  Adoption 

I  Data  as  of  06/05/201 3 


Requesting  entity  type 

Organizations1 

Individuals2 

Utilities 

Cooperative  (COOP) 

14 

14 

International 

3 

3 

Investor-owned  (IOU) 

42 

51 

Public  power  (Muni) 

37 

47 

Regional  Transmission  Organization  (RTO) 

3 

3 

Total  Utilities 

99 

118 

Non-utilities 

79 

86 

International 

20 

20 

TOTAL 

198 

224 

1.  Total  number  of  unique  organizations  that  have  received  the  ES-C2M2  Self-Evaluation  Toolkit. 

2.  Total  number  of  unique  individuals  who  have  received  the  ES-C2M2  Self-Evaluation  Toolkit. 
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Using  ES-C2M2 


r 

Get  Model  & 

Tool 

L. 

r 

r 

'N 

Implement 

Perform 

Improvements 

Evaluation 

- J  V - J 


r 

r  \ 

Prioritize  and 

Analyze 

Plan 

Identified  Gaps 

_ J  \ _ J 
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A 

Maturity 

Model 
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Domains 

(a.k.a.  Process  Areas) 


Scaling 


Diagnostic 

Methodology 
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Domains  that  ES-C2M2  Examines 


%  Risk 

E:  Management 

Asset,  Change, 
llj  and 

CO 

^  Configuration 
Management 

co  Identity  and 

o  Access 

<  Management 

<c  Threat  and 

S  Vulnerability 

h=  Management 

o 

Situational 
=>  Awareness 

CO 

z  Information 

^  Sharing  and 

^  Communications 

Lu  Event  and 

^  Incident 

2  Response, 

llj  Continuity  of 

Operations 

CO 

LU 

o  Supply  Chain 

w  and  External 

z:  Dependencies 
Management 

□ 

Workforce 

Management 


g  Cybersecurity 
co  Program 
°  Management 


Domains  are  logical  groupings  of  cybersecurity  practices. 
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Maturity  Indicator  Levels 


ES-C2M2  Structure 


X  Reserved 

3  Managed 

2  Performed 

1  Initiated 
0  Not  Performed 


(CEFCT 


1  Maturity  Indicator  Level  that  is  reserved  for  future  use 


^ J~4  Maturity  Indicator  Levels:  Defined  progressions  of  practices 


Each  cell  contains  the  defining  practices  for  the 
domain  at  that  maturity  indicator  level. 


10  Model  Domains:  Logical  groupings  of  cybersecurity  practices 
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CYBER 


ES-C2M2  Maturity  Indicator  Levels  Example 


Specific  Characteristics  for  the 
ASSET  Domain 

MILO 

MIL1 

1 .  Asset  inventory 

a.  There  is  an  inventory  of  OT 
(operational  technology)  and  IT 
(information  technology)  assets  that 
are  important  to  the  delivery  of  the 
function. 

MIL2 

.  .  . 

MIL3 

1 .  Asset  inventory 

a.  The  asset  inventory  is  current  and 
complete  for  assets  of  defined 
categories  that  are  selected  based  on 
risk  analysis. 

b.  Asset  prioritization  is  informed  by  risk 
analysis. 

Progress  from  one  MIL  to 
the  next  involves  more 
complete  or  more  advanced 
implementations  of  the  core 
activities  in  the  domain. 


The  organization  is  also 
expected  to  perform 
additional  activities  at  higher 
levels  consistent  with  its  risk 
strategy. 
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ES-C2M2  Maturity  Indicator  Levels 


Level 

Name 

Description 

MILO 

Not 

Performed 

•  MIL1  has  not  been  achieved  in  the  domain. 

MIL1 

Initiated 

•  Initial  practices  are  performed,  but  may  be  ad  hoc. 

MIL2 

Performed 

•  Practices  are  documented. 

•  Stakeholders  are  involved. 

•  Adequate  resources  are  provided  for  the  practices. 

•  Standards  or  guidelines  are  used  to  guide  practice 
implementation. 

•  Practices  are  more  complete  or  advanced  than  at  Ml  LI . 

MIL3 

Managed 

•  Domain  activities  are  guided  by  policy  (or  other  directives). 

•  Activities  are  periodically  reviewed  for  conformance  to 
policy. 

•  Responsibility  and  authority  for  practices  are  clearly 
assigned  to  personnel  with  adequate  skills  and  knowledge. 

•  Practices  are  more  complete  or  advanced  than  at  MIL2. 
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A  Dual-Progression  Model 

ES-C2M2  is  a  dual-progression  model. 

Two  things  progress  across  the  maturity  indicator 
levels: 

1.  Institutionalization  -  the  extent  to  which  the 
practices  are  ingrained  in  the  organization’s 
operations 

2.  Approach  -  the  activity’s  completeness, 
thoroughness,  or  level  of  development/ 
sophistication 
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Domain  Structure 


Domain 


Purpose  Statement 
-Introductory  Notes 
Specific  Objective(s) 

Practices  at  MIL1 


Practices  at  MIL2 


Practices  at  MIL3 


Common  Objective 

Practices  at  MIL2 


Practices  at  MIL3 


CERT 
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Intent  and  overview 


One  or  more  progressions  of 
practices  that  are  unique  to  the 
domain 


Progression  of  practices  that 
describe  institutionalization 
activities  -  same  in  each  domain 
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Example  Specific  Objective:  ASSET 
—  approach  progression 


Electricity  Subsector  Cybersecurity  Capability  Maturity  Model  Version  1 .0  ASSET  DOMAIN 


3.  Manage  Changes  to  Assets 


MIL1 

a. 

b. 

Changes  to  inventoried  assets  are  evaluated  before  being  implemented 

Changes  to  inventoried  assets  are  logged 

MIL2 

c. 

d. 

Changes  to  assets  are  tested  prior  to  being  deployed,  whenever  possible 

Change  management  practices  address  the  full  lifecycle  of  assets  (i.e.,  acquisition, 
deployment,  operation,  retirement) 

MIL3 

e. 

Changes  to  assets  are  tested  for  cybersecurity  impact  prior  to  being  deployed 

f. 

Change  logs  include  information  about  modifications  that  impact  the  cybersecurity 

requirements  of  assets  (availability,  integrity,  confidentiality) 

Notice  that  the  practices  progress  from  one  MIL  to  the  next  within  the  objective  (practices  at  higher  MILs 
are  more  complete  in  their  implementation,  more  sophisticated  in  their  approach,  or  more  thorough). 
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Example  Common  Objective:  ASSET 
—  institutionalization  progression 


4.  Manage  ASSET  Activities 

MIL1  No  practice  at  MIL  1 

MIL2  a.  Documented  practices  are  followed  for  asset  inventory,  configuration,  and  change 

management  activities 

b.  Stakeholders  for  asset  inventory,  configuration,  and  change  management  activities  are 
identified  and  involved 

c.  Adequate  resources  (people,  funding,  and  tools)  are  provided  to  support  asset  inventory, 
configuration,  and  change  management  activities 

d.  Standards  and/or  guidelines  have  been  identified  to  inform  asset  inventory,  configuration,  and 
change  management  activities 

MIL3  e.  Asset  inventory,  configuration,  and  change  management  activities  are  guided  by  documented 

policies  or  other  organizational  directives 

f.  Policies  include  compliance  requirements  for  specified  standards  and/or  guidelines 

g.  Asset  inventory,  configuration,  and  change  management  activities  are  periodically  reviewed 
to  ensure  conformance  with  policy 

h.  Responsibility  and  authority  for  the  performance  of  asset  inventory,  configuration,  and  change 
management  activities  is  assigned  to  personnel 

i.  Personnel  performing  asset  inventory,  configuration,  and  change  management  activities  have 
the  skills  and  knowledge  needed  to  perform  their  assigned  responsibilities 

( 
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Maturity  Indicator  Levels 


ES-C2M2:  Maturity  Indicator  Levels 


Model  Domains  (1-2  of  10) 


Asset,  Change, 
and  Configuration 
Management 
(ASSET) 

Manage  the  organization’s  operational  technology  (OT)  and 
information  technology  (IT)  assets,  including  both  hardware  and 
software,  commensurate  with  the  risk  to  critical  infrastructure  and 
organizational  objectives,  including  activities  to 

•  identify,  inventory,  and  prioritize  assets 

•  manage  asset  configurations 

•  manage  changes  to  assets  and  to  the  asset  inventory 

Workforce 

Management 

(WORKFORCE) 

Establish  and  maintain  plans,  procedures,  technologies,  and 
controls  to  create  a  culture  of  cybersecurity  and  to  ensure  the 
ongoing  suitability  and  competence  of  personnel,  commensurate 
with  the  risk  to  critical  infrastructure  and  organizational  objectives. 

•  Responsibilities 

•  Workforce  controls 

•  Knowledge,  skills,  and  abilities 

•  Awareness 

Model  Domains  (3-4  of  10) 


Identity  and 

Access 

Management 

(ACCESS) 

Create  and  manage  identities  for  entities  that  may  be  granted 
logical  or  physical  access  to  the  organization's  assets.  Control 
access  to  the  organization's  assets,  commensurate  with  the  risk  to 
critical  infrastructure  and  organizational  objectives. 

•  Identity  management 

•  Access  management 

Risk  Management 
(RISK) 

Establish,  operate,  and  maintain  a  cybersecurity  risk  management 
and  mitigation  program  to  identify  and  manage  cybersecurity  risk  to 
the  organization  and  its  related  interconnected  infrastructure  and 
stakeholders. 

•  Strategy 

•  Sponsorship 

•  Program 

Model  Domains  (5-6  of  10) 


Supply  Chain  and 

External 

Dependencies 

Management 

(DEPENDENCIES) 

Establish  and  maintain  controls  to  manage  the  cybersecurity  risk 
associated  with  services  and  assets  that  are  dependent  on  external 
entities,  commensurate  with  the  organization's  business  and 
security  objectives. 

•  Dependency  identification 

•  Risk  management 

•  Cybersecurity  requirements 

Threat  and 
Vulnerability 
Management 
(THREAT) 

Establish  and  maintain  plans,  procedures,  and  technologies  to 
identify,  analyze,  and  manage  cybersecurity  threats  and 
vulnerabilities,  commensurate  with  the  risk  to  critical  infrastructure 
and  organizational  objectives. 

•  Threat  management 

•  Vulnerability  management 

•  Cybersecurity  patch  management 

•  Assessments 

Model  Domains  (7-8  of  10) 


Event  and 

Incident 

Response, 
Continuity  of 
Operations 
(RESPONSE) 

Establish  and  maintain  plans,  procedures,  and  technologies  to 
detect,  analyze,  and  respond  to  cybersecurity  incidents  and  to 
sustain  critical  functions  throughout  a  cyber  event,  commensurate 
with  the  risk  to  critical  infrastructure  and  organizational  objectives. 

•  Detect  events 

•  Declare  incidents 

•  Respond  to  incidents 

•  Manage  continuity 

Situational 

Awareness 

(SITUATION) 

Establish  and  maintain  activities  and  technologies  to  collect, 
analyze,  alarm,  present,  and  use  power  system  and  cybersecurity 
information,  including  status  and  summary  information  from  the 
other  model  domains,  to  form  a  common  operating  picture, 
commensurate  with  the  risk  to  critical  infrastructure  and 
organizational  objectives. 

•  Logging 

•  Monitoring 

•  Awareness 

Model  Domains  (9-10  of  10) 


Information 

Sharing  and 

Communications 

(SHARING) 

Establish  and  maintain  relationships  with  internal  and  external 
entities  to  share  information,  including  threats  and  vulnerabilities,  in 
order  to  reduce  risks  and  increase  operational  resilience, 
commensurate  with  the  risk  to  critical  infrastructure  and 
organizational  objectives. 

•  Communication 

•  Analysis 

•  Coordination 

Cybersecurity 

Program 

Management 

(CYBER) 

Establish  and  maintain  a  cybersecurity  program  that  provides 
governance,  strategic  planning,  and  sponsorship  for  the 
organization’s  cybersecurity  activities  in  a  manner  that  aligns 
cybersecurity  objectives  with  the  organization’s  strategic  objectives 
and  the  risk  to  critical  infrastructure. 

•  Strategy 

•  Sponsorship 

•  Program 

•  Architecture 
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ES-C2M2  Self-Evaluation 


The  ES-C2M2  model  is  supported  by  a 
survey-based  self-evaluation. 


An  organization  can  use  the  survey  (and 
associated  scoring  tool)  to  evaluate  its 
implementation  of  the  model  practices. 


To  complete  the  survey,  an  organization 
selects  its  level  of  implementation  for  the 
model  practice  from  a  4-point  answer 
scale. 
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4-Point  Answer  Scale 


Fully 

implemented 

Complete 

Largely 

implemented 

Complete,  but  with  a  recognized  opportunity  for  improvement 

Partially 

implemented 

Incomplete;  there  are  multiple  opportunities  for  improvement 

Not 

implemented 

Absent;  the  practice  is  not  performed  in  the  organization 

ES-C2M2  Sample  Summary  Score 


MIL3 


Ml  Li 


There  are  2  practices  at 
MIL1  for  the  Risk  Domain 


MIL2 


Outer  ring  and  number(s)  summarize 
implementation  state  of  those  practices;  in  this 
case,  both  practices  are  fully  implemented 


■  Fully  implemented  ■  Partially  implemented 

■  Largely  implemented  ■  Not  implemented 
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SEI  Training 


Introduction  to  the  CERT  Resilience  Management  Model 

February  18  -  20,  2014  (SEI,  Arlington,  VA) 

June  17-19,  2014  (SEI,  Pittsburgh,  PA) 

See  Materials  Widget  for  course  document 
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